Accepting request 257520 from home:cboltz

- update to AppArmor 2.9.0 (r2759) - change aa-mergeprof to the final commandline syntax - lots of bugfixes in the aa-* tools (bnc#900163, lp#1328707 and several bugs without a formal bugreport) - small additions to gnome, freedesktop.org, ubuntu-browsers.d/java and user-mail abstractions - fix mod_apparmor to not break basic auth - update perl modules to support signal, unix and ptrace rules (bnc#900013) - don't warn about rules not supported by the kernel - fix logging of "audit capability" (lp#1378091) - add support for the "hat" keyword in apparmor.vim - build html version of apparmor.vim manpage again (lp#1366572) - see also http://wiki.apparmor.net/index.php/ReleaseNotes_2_9_0 - update apparmor-abstractions-no-multiline.diff - remove upstreamed apparmor-profiles-ntpd-pid-location.diff - add apparmor-abstractions-no-multiline.diff: change all multiline rules into one line. Needed for yast2-apparmor (bnc#900013) OBS-URL: https://build.opensuse.org/request/show/257520 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=104
2014-10-18 13:47:32 +00:00 · 2014-10-18 13:47:32 +00:00 · bc413776a0
commit bc413776a0
parent 225afaddfb
8 changed files with 327 additions and 25 deletions
--- a/apparmor-2.8.97.tar.gz
+++ b/apparmor-2.8.97.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:170a6495dd48246df1c042aa562fb759b287331ceed62c67961c81dc7ce6cba4
-size 2360991
--- a/apparmor-2.8.97.tar.gz.asc
+++ b/apparmor-2.8.97.tar.gz.asc
@ -1,7 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iEYEABECAAYFAlQuRy8ACgkQgTeYuayTEnFnyACgyxwM2udlu+OnuaZwyMo0vsNZ
-YacAn0lEU5qGxRHoSQv/h7Uo7c9qhhtg
-=Bo0m
-----END PGP SIGNATURE-----
--- a/apparmor-2.9.0.tar.gz
+++ b/apparmor-2.9.0.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:782df74c8a7a8a5302b4ad0d00184a7e623ef0631c1b8a16a1d92a968e4b4b6b
+size 2354837
--- a/apparmor-2.9.0.tar.gz.asc
+++ b/apparmor-2.9.0.tar.gz.asc
@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iEYEABECAAYFAlRBdzoACgkQgTeYuayTEnESHwCfbHmZyLtb6Qn/Pj6479thHvkA
+R4AAoLWmkDZtpTJKSH5eUntBEuUtLrs9
+=wdnW
+-----END PGP SIGNATURE-----
--- a/apparmor-abstractions-no-multiline.diff
+++ b/apparmor-abstractions-no-multiline.diff
@ -0,0 +1,285 @@
+=== modified file 'profiles/apparmor.d/abstractions/X'
+Index: profiles/apparmor.d/abstractions/X
+===================================================================
+--- profiles/apparmor.d/abstractions/X.orig	2014-10-18 13:11:18.498652324 +0200
+++ profiles/apparmor.d/abstractions/X	2014-10-18 13:11:31.097494817 +0200
+@@ -23,9 +23,7 @@
+ 
+   # the unix socket to use to connect to the display
+   /tmp/.X11-unix/*           w,
+-  unix (connect, receive, send)
+-       type=stream
+-       peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
+  unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
+ 
+   /usr/include/X11/               r,
+   /usr/include/X11/**             r,
+Index: profiles/apparmor.d/abstractions/dbus-accessibility-strict
+===================================================================
+--- profiles/apparmor.d/abstractions/dbus-accessibility-strict.orig	2014-10-18 13:11:18.498652324 +0200
+++ profiles/apparmor.d/abstractions/dbus-accessibility-strict	2014-10-18 13:11:31.098494805 +0200
+@@ -9,9 +9,4 @@
+ #
+ # ------------------------------------------------------------------
+ 
+-  dbus send
+-       bus=accessibility
+-       path=/org/freedesktop/DBus
+-       interface=org.freedesktop.DBus
+-       member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
+-       peer=(name=org.freedesktop.DBus),
+  dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus),
+Index: profiles/apparmor.d/abstractions/dbus-session-strict
+===================================================================
+--- profiles/apparmor.d/abstractions/dbus-session-strict.orig	2014-10-18 13:11:18.498652324 +0200
+++ profiles/apparmor.d/abstractions/dbus-session-strict	2014-10-18 13:11:31.098494805 +0200
+@@ -13,13 +13,6 @@
+   /etc/machine-id r,
+   /var/lib/dbus/machine-id r,
+ 
+-  unix (connect, receive, send)
+-       type=stream
+-       peer=(addr="@/tmp/dbus-*"),
+  unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-*"),
+ 
+-  dbus send
+-       bus=session
+-       path=/org/freedesktop/DBus
+-       interface=org.freedesktop.DBus
+-       member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
+-       peer=(name=org.freedesktop.DBus),
+  dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus),
+Index: profiles/apparmor.d/abstractions/dbus-strict
+===================================================================
+--- profiles/apparmor.d/abstractions/dbus-strict.orig	2014-10-18 13:11:18.498652324 +0200
+++ profiles/apparmor.d/abstractions/dbus-strict	2014-10-18 13:11:31.098494805 +0200
+@@ -11,9 +11,4 @@
+ 
+   /{,var/}run/dbus/system_bus_socket rw,
+ 
+-  dbus send
+-       bus=system
+-       path=/org/freedesktop/DBus
+-       interface=org.freedesktop.DBus
+-       member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
+-       peer=(name=org.freedesktop.DBus),
+  dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus),
+Index: profiles/apparmor.d/abstractions/ubuntu-unity7-base
+===================================================================
+--- profiles/apparmor.d/abstractions/ubuntu-unity7-base.orig	2014-10-18 13:11:18.497652337 +0200
+++ profiles/apparmor.d/abstractions/ubuntu-unity7-base	2014-10-18 13:11:31.098494805 +0200
+@@ -16,41 +16,16 @@
+ #include <abstractions/gnome>
+ 
+   # Allow connecting to session bus and where to connect to services
+-  dbus (send)
+-       bus=session
+-       path=/org/freedesktop/DBus
+-       interface=org.freedesktop.DBus
+-       member=Hello
+-       peer=(name=org.freedesktop.DBus),
+-  dbus (send)
+-       bus=session
+-       path=/org/freedesktop/{db,DB}us
+-       interface=org.freedesktop.DBus
+-       member={Add,Remove}Match
+-       peer=(name=org.freedesktop.DBus),
+  dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(name=org.freedesktop.DBus),
+  dbus (send) bus=session path=/org/freedesktop/{db,DB}us interface=org.freedesktop.DBus member={Add,Remove}Match peer=(name=org.freedesktop.DBus),
+   # NameHasOwner and GetNameOwner could leak running processes and apps
+   # depending on how services are implemented
+-  dbus (send)
+-       bus=session
+-       path=/org/freedesktop/DBus
+-       interface=org.freedesktop.DBus
+-       member=GetNameOwner
+-       peer=(name=org.freedesktop.DBus),
+-  dbus (send)
+-       bus=session
+-       path=/org/freedesktop/DBus
+-       interface=org.freedesktop.DBus
+-       member=NameHasOwner
+-       peer=(name=org.freedesktop.DBus),
+  dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner peer=(name=org.freedesktop.DBus),
+  dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameHasOwner peer=(name=org.freedesktop.DBus),
+ 
+   # Allow starting services on the session bus (actual communications with
+   # the service are mediated elsewhere)
+-  dbus (send)
+-       bus=session
+-       path=/org/freedesktop/DBus
+-       interface=org.freedesktop.DBus
+-       member=StartServiceByName
+-       peer=(name=org.freedesktop.DBus),
+  dbus (send) bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=StartServiceByName peer=(name=org.freedesktop.DBus),
+ 
+   # Allow connecting to system bus and where to connect to services. Put these
+   # here so we don't need to repeat these rules in multiple places (actual
+@@ -58,108 +33,47 @@
+   # allow apps to brute-force enumerate system services, but our system
+   # services aren't a secret.
+   /{,var/}run/dbus/system_bus_socket rw,
+-  dbus (send)
+-       bus=system
+-       path=/org/freedesktop/DBus
+-       interface=org.freedesktop.DBus
+-       member=Hello
+-       peer=(name=org.freedesktop.DBus),
+-  dbus (send)
+-       bus=system
+-       path=/org/freedesktop/{db,DB}us
+-       interface=org.freedesktop.DBus
+-       member={Add,Remove}Match
+-       peer=(name=org.freedesktop.DBus),
+  dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello peer=(name=org.freedesktop.DBus),
+  dbus (send) bus=system path=/org/freedesktop/{db,DB}us interface=org.freedesktop.DBus member={Add,Remove}Match peer=(name=org.freedesktop.DBus),
+   # NameHasOwner and GetNameOwner could leak running processes and apps
+   # depending on how services are implemented
+-  dbus (send)
+-       bus=system
+-       path=/org/freedesktop/DBus
+-       interface=org.freedesktop.DBus
+-       member=GetNameOwner
+-       peer=(name=org.freedesktop.DBus),
+-  dbus (send)
+-       bus=system
+-       path=/org/freedesktop/DBus
+-       interface=org.freedesktop.DBus
+-       member=NameHasOwner
+-       peer=(name=org.freedesktop.DBus),
+  dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner peer=(name=org.freedesktop.DBus),
+  dbus (send) bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameHasOwner peer=(name=org.freedesktop.DBus),
+ 
+   #
+   # Access required for connecting to/communication with Unity HUD
+   #
+-  dbus (send)
+-       bus=session
+-       path="/com/canonical/hud",
+-  dbus (send)
+-       bus=session
+-       interface="com.canonical.hud.*",
+-  dbus (send)
+-       bus=session
+-       path="/com/canonical/hud/applications/*",
+-  dbus (receive)
+-       bus=session
+-       path="/com/canonical/hud",
+-  dbus (receive)
+-       bus=session
+-       interface="com.canonical.hud.*",
+  dbus (send) bus=session path="/com/canonical/hud",
+  dbus (send) bus=session interface="com.canonical.hud.*",
+  dbus (send) bus=session path="/com/canonical/hud/applications/*",
+  dbus (receive) bus=session path="/com/canonical/hud",
+  dbus (receive) bus=session interface="com.canonical.hud.*",
+ 
+   #
+   # Allow access for connecting to/communication with the appmenu
+   #
+   # dbusmenu
+-  dbus (send)
+-       bus=session
+-       interface="com.canonical.AppMenu.*",
+-  dbus (receive, send)
+-        bus=session
+-        path=/com/canonical/menu/**,
+  dbus (send) bus=session interface="com.canonical.AppMenu.*",
+  dbus (receive, send) bus=session path=/com/canonical/menu/**,
+ 
+   # gmenu
+-  dbus (receive, send)
+-       bus=session
+-       interface=org.gtk.Actions,
+-  dbus (receive, send)
+-       bus=session
+-       interface=org.gtk.Menus,
+  dbus (receive, send) bus=session interface=org.gtk.Actions,
+  dbus (receive, send) bus=session interface=org.gtk.Menus,
+ 
+   #
+   # Access required for using freedesktop notifications
+   #
+-  dbus (send)
+-       bus=session
+-       path=/org/freedesktop/Notifications
+-       member=GetCapabilities,
+-  dbus (send)
+-       bus=session
+-       path=/org/freedesktop/Notifications
+-       member=GetServerInformation,
+-  dbus (send)
+-       bus=session
+-       path=/org/freedesktop/Notifications
+-       member=Notify,
+-  dbus (receive)
+-       bus=session
+-       member="Notify"
+-       peer=(name="org.freedesktop.DBus"),
+-  dbus (receive)
+-       bus=session
+-       path=/org/freedesktop/Notifications
+-       member=NotificationClosed,
+-  dbus (send)
+-       bus=session
+-       path=/org/freedesktop/Notifications
+-       member=CloseNotification,
+  dbus (send) bus=session path=/org/freedesktop/Notifications member=GetCapabilities,
+  dbus (send) bus=session path=/org/freedesktop/Notifications member=GetServerInformation,
+  dbus (send) bus=session path=/org/freedesktop/Notifications member=Notify,
+  dbus (receive) bus=session member="Notify" peer=(name="org.freedesktop.DBus"),
+  dbus (receive) bus=session path=/org/freedesktop/Notifications member=NotificationClosed,
+  dbus (send) bus=session path=/org/freedesktop/Notifications member=CloseNotification,
+ 
+   # accessibility
+-  dbus (send)
+-       bus=session
+-       peer=(name=org.a11y.Bus),
+-  dbus (receive)
+-       bus=session
+-       interface=org.a11y.atspi*,
+-  dbus (receive, send)
+-       bus=accessibility,
+  dbus (send) bus=session peer=(name=org.a11y.Bus),
+  dbus (receive) bus=session interface=org.a11y.atspi*,
+  dbus (receive, send) bus=accessibility,
+ 
+   #
+   # Deny potentially dangerous access
+Index: profiles/apparmor.d/abstractions/ubuntu-unity7-launcher
+===================================================================
+--- profiles/apparmor.d/abstractions/ubuntu-unity7-launcher.orig	2014-10-18 13:11:18.497652337 +0200
+++ profiles/apparmor.d/abstractions/ubuntu-unity7-launcher	2014-10-18 13:11:31.098494805 +0200
+@@ -1,7 +1,4 @@
+   #
+   # Access required for connecting to/communicating with the Unity Launcher
+   #
+-  dbus (send)
+-      bus=session
+-      interface="com.canonical.Unity.LauncherEntry"
+-      member="Update",
+  dbus (send) bus=session interface="com.canonical.Unity.LauncherEntry" member="Update",
+Index: profiles/apparmor.d/abstractions/ubuntu-unity7-messaging
+===================================================================
+--- profiles/apparmor.d/abstractions/ubuntu-unity7-messaging.orig	2014-10-18 13:11:18.498652324 +0200
+++ profiles/apparmor.d/abstractions/ubuntu-unity7-messaging	2014-10-18 13:11:31.099494792 +0200
+@@ -2,6 +2,4 @@
+   # Access required for connecting to/communicating with the Unity messaging
+   # indicator
+   #
+-  dbus (receive, send)
+-       bus=session
+-       path="/com/canonical/indicator/messages/*",
+  dbus (receive, send) bus=session path="/com/canonical/indicator/messages/*",
+Index: profiles/apparmor.d/abstractions/gnome
+===================================================================
+--- profiles/apparmor.d/abstractions/gnome.orig	2014-10-06 21:06:23.000000000 +0200
+++ profiles/apparmor.d/abstractions/gnome	2014-10-18 13:17:22.661505791 +0200
+@@ -88,6 +88,4 @@
+ 
+   # Allow connecting to the GNOME vfs socket (still need corresponding DBus
+   # rules)
+-  unix (send, receive, connect)
+-       type=stream
+-       peer=(addr="@/dbus-vfs-daemon/socket-*"),
+  unix (send, receive, connect) type=stream peer=(addr="@/dbus-vfs-daemon/socket-*"),
--- a/apparmor-profiles-ntpd-pid-location.diff
+++ b/apparmor-profiles-ntpd-pid-location.diff
@ -1,12 +0,0 @@
-=== modified file 'profiles/apparmor.d/usr.sbin.ntpd'
--- profiles/apparmor.d/usr.sbin.ntpd	2013-11-14 20:48:51 +0000
-+++ profiles/apparmor.d/usr.sbin.ntpd	2014-10-06 17:57:46 +0000
-@@ -55,6 +55,7 @@
-   /var/opt/novell/xad/rpc/xadsd rw,
-   /{,var/}run/nscd/services r,
-   /{,var/}run/ntpd.pid w,
-+  /{,var/}run/ntp/ntpd.pid w,
-   /var/tmp/ntp* rwl,
-   @{PROC}/@{pid}/net/if_inet6 r,
- 
-
--- a/apparmor.changes
+++ b/apparmor.changes
@ -1,3 +1,28 @@
+-------------------------------------------------------------------
+Sat Oct 18 09:43:19 UTC 2014 - opensuse@cboltz.de
+
+- update to AppArmor 2.9.0 (r2759)
+  - change aa-mergeprof to the final commandline syntax
+  - lots of bugfixes in the aa-* tools (bnc#900163, lp#1328707 and several
+    bugs without a formal bugreport)
+  - small additions to gnome, freedesktop.org, ubuntu-browsers.d/java 
+    and user-mail abstractions
+  - fix mod_apparmor to not break basic auth
+  - update perl modules to support signal, unix and ptrace rules (bnc#900013)
+  - don't warn about rules not supported by the kernel
+  - fix logging of "audit capability" (lp#1378091)
+  - add support for the "hat" keyword in apparmor.vim
+  - build html version of apparmor.vim manpage again (lp#1366572)
+  - see also http://wiki.apparmor.net/index.php/ReleaseNotes_2_9_0
+- update apparmor-abstractions-no-multiline.diff
+- remove upstreamed apparmor-profiles-ntpd-pid-location.diff
+
+-------------------------------------------------------------------
+Fri Oct 10 23:22:26 UTC 2014 - opensuse@cboltz.de
+
+- add apparmor-abstractions-no-multiline.diff: change all multiline
+  rules into one line. Needed for yast2-apparmor (bnc#900013)
+
 -------------------------------------------------------------------
 Mon Oct  6 18:07:50 UTC 2014 - opensuse@cboltz.de

--- a/apparmor.spec
+++ b/apparmor.spec
@ -60,7 +60,7 @@ Name:           apparmor
 %if ! %{?distro:1}0
  %define distro suse
 %endif
-Version:        2.8.97
+Version:        2.9.0
 Release:        0
 Summary:        AppArmor userlevel parser utility
 License:        GPL-2.0+
@ -88,8 +88,9 @@ Patch4:         apparmor-2.5.1-edirectory-profile
 # Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de
 Patch5:         ruby-2_0-mkmf-destdir.patch

-# Allow new pid location in ntpd profile (bnc#899746 - commited upstream trunk r2723, 2.8 branch r2145)
-Patch6:         apparmor-profiles-ntpd-pid-location.diff
+# change multiline rules in abstractions to one line - needed because YaST still uses the perl module, which doesn't support multiline rules
+# (bnc#900013, not for upstream)
+Patch6:         apparmor-abstractions-no-multiline.diff

 Url:            https://launchpad.net/apparmor
 PreReq:         sed
@ -431,6 +432,8 @@ SubDomain.
 %endif

 %patch6
+# search for left-over multiline rules
+test -z "$(grep -r '^\s*\(unix\|dbus\)[^,]\(([^)]*)\)*[^,]*$' profiles/apparmor.d/)"

 %build
 echo _libdir: %{_libdir}  ruby: %{rb_sitearch}  python: %{python3_sitearch} # test if _libdir breaks it or if it's broken by default on <= 12.1
@ -590,6 +593,7 @@ echo -------------------------------------------------------------------
 %files docs
 %defattr(-,root,root)
 %doc parser/*.[1-9].html
+%doc utils/vim/apparmor.vim.5.html
 %doc common/apparmor.css
 %doc parser/techdoc.pdf parser/techdoc/techdoc.html parser/techdoc/techdoc.css parser/techdoc.txt
 # apparmor.vim is included in the vim package. Ideally it should be in a -devel package, but that's overmuch for one file